Permanently enabling SSH on ESXi via PowerShell

As you all know by now, ESXi comes with SSH, which VMware now refers to as Tech Support Mode, disabled. The reasons behind this include security and the removal of the service console. While the service console has been removed, a shell called BusyBox remains. According to VMware best practice, SSH should not be enabled as it should not be needed. Of course, customers require this kind of access to install agents and to troubleshoot problems. VMware’s response was to enable remote access to the systems via vCenter Server, vMA, or an API and to recommend reinstalling ESXi should troubleshooting become necessary. If you want to read more about this, I would recommend seeing Duncan’s post over at yellow-bricks:
Recently, I ran into an issue where several potential ESXi bugs were discovered, which required SSH access to the ESXi host as the logs were lacking information (one of the reported bugs) and the commands that needed to be executed could not be done remotely (e.g. df -h). As such, I was asked to enable SSH on 64 ESXi hosts. Performing this task manually was not an option so I turned to PowerCLI to automate the task.
This raises the question, how do you enable SSH on ESXi via PowerCLI?

This question has been raised and answered multiple times can can easily be found with a simple Google search. The best article I could find that listed multiple ways to solve this problem was Given my desire to perform the task with PowerCLI, I navigated to option four and ran:

Get-VMHost | Foreach { Start-VMHostService -HostService ($_ | Get-VMHostService | Where { $_.Key -eq "TSM-SSH" } ) }

The issue with this command is that while it enables SSH on the ESXi host it only enables it until the host is powered down or restarted. If you had a host failure (e.g. power outage or hardware issue) or had to reboot this host (e.g. to apply a patch) after executing the command to enable SSH, SSH would be disabled when the host came back online. To confirm this, execute the above command and then use the vSphere client to connect to the host. Go to Configuration – Security Profile – Properties… Select Remote Tech Support (SSH) and select Options… Notice how the Startup Policy is set to Start and stop manually and not set to Start and stop with host. So how do you permanently enable SSH on ESXi via PowerCLI?
Well, I have not found a way. I assume a way exists as I found the following post which states via PowerCLI SSH can be enabled and the policy can be set to automatic: However, even in their case they still had an issue were they wanted to execute ‘/sbin/ restart’ and could not do so via PowerCLI. The good news is I found a way to perform both of these actions though not through traditional VMware PowerCLI commands.
First, enable SSH as outlined above. Now that SSH is enabled you can SSH to the ESXi host. If you can SSH to the ESXi host then you can run commands on the ESXi host. If you can run commands on the ESXi host that you can run ‘vim-cmd hostsvc/enable_remote_tsm’ as outlined in option six of the article I initially linked to, which will enable SSH across server reboots, as well as run ‘/sbin/ restart’.
To do this, download plink.exe to the host running PowerCLI and then create a function like the following:

Function plink($plinkLoc, $esxHost, $esxUser, $esxPass, $remoteCommand) {
$command = $plink + " -pw " + $esxPass + " " + $esxUser + "@" + $esxHost
# Needed to accept RSA key
Invoke-Expression -Command "echo y | $command exit" | Out-Null
$command += ' "' + $remoteCommand + '; sleep 1; exit"'
$t = Invoke-Expression -Command $command
Return $t
#Write-Host $command

Then simply execute your function with the appropriate command line arguments:

plink 'C:UsersAdministratorDownloadsplink.exe' 'esx01' 'root' 'password' `
'vim-cmd hostsvc/enable_remote_tsm; /sbin/ restart'

Once the command completes, you can confirm everything is configured properly by double checking the vSphere client.
The great thing is that you can use the above function to run any command on any number of ESXi hosts that have SSH enabled. Of course, you should change the function such that a plain-text password does not need to be passed. This post strictly serves as a proof-of-concept example.

© 2011, Steve Flanders. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top